Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Platform services enclave

vickey
Beginner
‎03-14-2021 05:14 AM
845 Views
Solved Jump to solution

Which parameter decides whether PSE(platform service enclave) will be used?and what is the implication of PSE.Why we needs to use it?. For parameter I mean sgx application enclave,sgx application itself,remote challenger,intel attestation service,or something else?

0 Kudos
1 Solution
JesusG_Intel
Moderator
‎03-15-2021 01:07 PM
808 Views
Solved Jump to solution

Hello vickey,


The Intel® Software Guard Extensions Remote Attestation End-to-End Example explains the purpose of the Platform Services Enclave (PSE):

"The PSE is an architectural enclave included in the Intel SGX software package that supplies services for trusted time and a monotonic counter. These can be used for replay protection during nonce generation and for securely calculating the length of time for which a secret should be valid."


The PSE is used mainly in two scenarios:

  1. Remote Attestation - Refer to the section Remote Attestation and Protected Session Establishment in the Intel SGX Developer Reference Guide for Windows and to the Intel® Software Guard Extensions Remote Attestation End-to-End Example for details on the remote attestation flow. The ISV application, also known as the untrusted app, determines whether to use Platform Services by setting b_pse = 1 when it initiates the enclave. The enclave then passes b_pse to sgx_ra_init, which is used to generate the remote attestation context. When this variable is set, Msg3, from the client to the service provider, includes platform services information. Upon receiving Msg3, the payload that the service provider sends to the Intel Attestation Service will include a PSE Manifest and nonce.


Refer to Section 4.1 Attestation Evidence Payload of the SGX Attestation API Spec, for definitions of the PSE Manifest and Nonce.


A PSE session must be established in order to request platform service. The enclave implementation in the sgx-ra-sample shows how to use sgx_create_pse_session based on the value of b_pse.


2.Sealing Data - Refer to the section SealedData in the Intel SGX Developer Reference Guide for Windows for information on how the Monotonic Counter and Trusted Time Services, which are provided by the PSE, are used to protect enclave secrets that are stored outside of the enclave, such as on disk. For the implementation, refer to the SealedData sample in the Intel SGX SDK for Windows.


Note that enclaves running on server hardware do not have a Platform Services Enclave, and cannot utilize client specific features.


Support for Intel® Software Guard Extensions (Intel® SGX) Platform Services was removed from all Linux*-based platforms, including client platforms, beginning with Intel SGX SDK for Linux 2.9.


The Intel SGX API for monotonic counters is still part of the Intel® Software Guard Extensions (Intel® SGX) SDK for Windows* and is supported on Windows® 10 platforms through the Intel SGX Platform Software for Windows. The Intel SGX Platform Software for Windows is usually installed through Windows Update from the platform OEM.


Sincerely,

Jesus G.

Intel Customer Support


View solution in original post

0 Kudos
Copy link

Link Copied

3 Replies
JesusG_Intel
Moderator
‎03-15-2021 01:07 PM
809 Views
Solved Jump to solution

Hello vickey,


The Intel® Software Guard Extensions Remote Attestation End-to-End Example explains the purpose of the Platform Services Enclave (PSE):

"The PSE is an architectural enclave included in the Intel SGX software package that supplies services for trusted time and a monotonic counter. These can be used for replay protection during nonce generation and for securely calculating the length of time for which a secret should be valid."


The PSE is used mainly in two scenarios:

  1. Remote Attestation - Refer to the section Remote Attestation and Protected Session Establishment in the Intel SGX Developer Reference Guide for Windows and to the Intel® Software Guard Extensions Remote Attestation End-to-End Example for details on the remote attestation flow. The ISV application, also known as the untrusted app, determines whether to use Platform Services by setting b_pse = 1 when it initiates the enclave. The enclave then passes b_pse to sgx_ra_init, which is used to generate the remote attestation context. When this variable is set, Msg3, from the client to the service provider, includes platform services information. Upon receiving Msg3, the payload that the service provider sends to the Intel Attestation Service will include a PSE Manifest and nonce.


Refer to Section 4.1 Attestation Evidence Payload of the SGX Attestation API Spec, for definitions of the PSE Manifest and Nonce.


A PSE session must be established in order to request platform service. The enclave implementation in the sgx-ra-sample shows how to use sgx_create_pse_session based on the value of b_pse.


2.Sealing Data - Refer to the section SealedData in the Intel SGX Developer Reference Guide for Windows for information on how the Monotonic Counter and Trusted Time Services, which are provided by the PSE, are used to protect enclave secrets that are stored outside of the enclave, such as on disk. For the implementation, refer to the SealedData sample in the Intel SGX SDK for Windows.


Note that enclaves running on server hardware do not have a Platform Services Enclave, and cannot utilize client specific features.


Support for Intel® Software Guard Extensions (Intel® SGX) Platform Services was removed from all Linux*-based platforms, including client platforms, beginning with Intel SGX SDK for Linux 2.9.


The Intel SGX API for monotonic counters is still part of the Intel® Software Guard Extensions (Intel® SGX) SDK for Windows* and is supported on Windows® 10 platforms through the Intel SGX Platform Software for Windows. The Intel SGX Platform Software for Windows is usually installed through Windows Update from the platform OEM.


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Copy link
JesusG_Intel
Moderator
‎03-19-2021 11:11 AM
787 Views
Solved Jump to solution

Hello Vickey,


Do you have any further questions regarding Platform Services?


Sincerely,

Jesus G.

Intel Customer Support


0 Kudos
Copy link
JesusG_Intel
Moderator
‎03-23-2021 04:46 PM
775 Views
Solved Jump to solution

This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.


0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.